cbcvebase.
CVE-2025-3472
published 2025-04-22

CVE-2025-3472: The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.72%
74.6th percentile
The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Affected

2 ranges
VendorProductVersion rangeFixed in
oceanwpocean_extra< 2.4.72.4.7
oceanwpocean_extra<= 2.4.6

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=update_oceanwp_woo_free_shipping_left_shortcode&content_rech_data=[woocommerce_my_account]&content=test
otheraction=update_oceanwp_woo_free_shipping_left_shortcode
path/includes/shortcodes/shortcodes.php
  • Look for unauthenticated POST requests to /wp-admin/admin-ajax.php with the AJAX action 'update_oceanwp_woo_free_shipping_left_shortcode' and a 'content_rech_data' parameter containing arbitrary shortcode values.
  • Successful exploitation returns a JSON response (Content-Type: application/json, HTTP 200) with body containing 'oceanwp-woo-free-shipping' alongside authentication form fields such as 'username' and 'password', indicating shortcode execution output.
  • The vulnerable parameter is 'content_rech_data' — monitor for shortcode syntax (e.g., bracket-enclosed strings) supplied to this parameter in admin-ajax.php POST bodies.
  • The attack requires WooCommerce to be installed and active on the target WordPress site. Scope detection to hosts matching both 'oceanwp' and 'woocommerce' fingerprints.
  • Pre-exploitation recon step: attacker performs GET /?s=&post_type=product to enumerate a valid WooCommerce product ID (extracted from 'add-to-cart=' or 'data-product_id=' patterns), then adds it to cart before triggering the AJAX action.
  • ·Exploitation requires WooCommerce to be simultaneously installed and activated alongside Ocean Extra; the vulnerability is not exploitable without WooCommerce present.
  • ·All Ocean Extra plugin versions up to and including 2.4.6 are affected; version 2.4.7 and later contain the fix.
  • ·The exploit flow is multi-step: it first requires a valid WooCommerce product ID to be added to the cart (via GET /?add-to-cart=<id>) before the AJAX shortcode execution endpoint can be triggered successfully.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.